From owner-freebsd-security Wed Nov 21 10:23:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169]) by hub.freebsd.org (Postfix) with ESMTP id B4C0837B431 for ; Wed, 21 Nov 2001 10:23:07 -0800 (PST) Received: by pa169.kurdwanowa.sdi.tpnet.pl (Postfix, from userid 1001) id 1CB891DA7; Wed, 21 Nov 2001 19:22:57 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with ESMTP id D446955A2; Wed, 21 Nov 2001 19:22:57 +0100 (CET) Date: Wed, 21 Nov 2001 19:22:57 +0100 (CET) From: Krzysztof Zaraska X-Sender: kzaraska@lhotse.zaraska.dhs.org To: Bart Matthaei Cc: Dave Raven , security@FreeBSD.ORG Subject: Re: Best security topology for FreeBSD In-Reply-To: <20011121183151.B15275@heresy.dreamflow.nl> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 21 Nov 2001, Bart Matthaei wrote: > > With IPFilter this is not so, IPNat runs in the kernel and should be faster. > > If you are planning on large usage I would recommend IPFilter (less load) > > and IPNat. > > I still dont see why ipf would be better when it comes to filtering. This issue (at least in one aspect) has been discussed on this list around Oct 30 (thread about keep-state and ICMP). The discussion strayed from the original topic and someone pointed out that ipfilter does a more careful inspection when dealing with dynamic rules (checks TCP sequence numbers etc.). Regards, Krzysztof To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message